Crash in [@ mozilla::net::CallOnStop::~CallOnStop]
Categories
(Core :: Networking: WebSockets, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox-esr78 | --- | unaffected |
firefox78 | --- | unaffected |
firefox79 | --- | unaffected |
firefox80 | --- | fixed |
People
(Reporter: u608768, Assigned: kershaw)
References
Details
(Keywords: crash, Whiteboard: [necko-triaged])
Crash Data
Attachments
(1 obsolete file)
This bug is for crash report bp-61a11c5f-92cc-4df1-bba3-647150200717.
Top 10 frames of crashing thread:
0 libxul.so mozilla::net::CallOnStop::~CallOnStop netwerk/protocol/websocket/WebSocketChannel.cpp:593
1 libxul.so mozilla::net::CallOnStop::~CallOnStop netwerk/protocol/websocket/WebSocketChannel.cpp:593
2 libxul.so mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal xpcom/string/nsSubstring.cpp
3 libxul.so mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal xpcom/threads/nsThreadUtils.h:577
4 libxul.so nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1234
5 libxul.so nsThread::Shutdown xpcom/threads/nsThread.cpp:898
6 libxul.so mozilla::net::nsSocketTransportService::ShutdownThread netwerk/base/nsSocketTransportService2.cpp:853
7 libxul.so mozilla::net::nsIOService::SetOffline netwerk/base/nsIOService.cpp:1314
8 libxul.so mozilla::net::nsIOService::Observe netwerk/base/nsIOService.cpp:1601
9 libxul.so non-virtual thunk to mozilla::net::nsIOService::Observe netwerk/base/nsIOService.cpp
Started in build 20200716212737. Regression window: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c8e9ecbc6236ea4cf1aa5063f20583e1f574f2b9&tochange=a35461d1fc07e6e855d064453363a46d32bb5a3d
kershaw, could this have been bug 1497249.
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
Based on this report, It seems that the WebSocketChannel
is already released. Since the channel is stored by a strong pointer in CallOnStop
, the address should be already invalid when constructing CallOnStop
. I think this should be caused by releasing the channel when nsWebSocketConnection::Close()
is called here.
Assignee | ||
Comment 2•4 years ago
|
||
Comment 3•4 years ago
|
||
(In reply to Kershaw Chang [:kershaw] from comment #1)
the address should be already invalid when constructing
CallOnStop
.
But what scenario could lead to calling WebSocketChannel::DoStopSession() on a freed object? I would expect there is somewhere a strong reference on the callstack...
Assignee | ||
Comment 4•4 years ago
|
||
(In reply to Michal Novotny [:michal] from comment #3)
(In reply to Kershaw Chang [:kershaw] from comment #1)
the address should be already invalid when constructing
CallOnStop
.But what scenario could lead to calling WebSocketChannel::DoStopSession() on a freed object? I would expect there is somewhere a strong reference on the callstack...
I think (In reply to Michal Novotny [:michal] from comment #3)
(In reply to Kershaw Chang [:kershaw] from comment #1)
the address should be already invalid when constructing
CallOnStop
.But what scenario could lead to calling WebSocketChannel::DoStopSession() on a freed object? I would expect there is somewhere a strong reference on the callstack...
I think this happens when WebSocketChannel::CleanupConnection()
is called inside WebSocketChannel::DoStopSession()
. Could be here. I assume at this point, the only strong reference that holds WebSocketChannel is the mConnection
. And then, nsWebSocketConnection::Close()
is called and the channel is released at here. At the end, an invalid address is passed to CallOnStop's constructor.
Pushed by kjang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1ab7f1314221 Don't release WebSocketChannel in nsWebSocketConnection::Close, r=michal,necko-reviewers
Comment 6•4 years ago
|
||
Backed out for remote failures on nsWebSocketConnection.cpp
Backout link: https://hg.mozilla.org/integration/autoland/rev/9a37a0e7de35daa6572a1499556a9e814cff7bc8
Log link: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=310416766&repo=autoland&lineNumber=1689
Updated•4 years ago
|
Assignee | ||
Comment 7•4 years ago
|
||
(In reply to Narcis Beleuzu [:NarcisB] from comment #6)
Backed out for remote failures on nsWebSocketConnection.cpp
Backout link: https://hg.mozilla.org/integration/autoland/rev/9a37a0e7de35daa6572a1499556a9e814cff7bc8
Log link: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=310416766&repo=autoland&lineNumber=1689
https://treeherder.mozilla.org/#/jobs?repo=try&revision=78c14e3fb0f6148b07178d86ba5117d5a948546a
Pushed by kjang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1c9946becbca Don't release WebSocketChannel in nsWebSocketConnection::Close, r=michal,necko-reviewers
Updated•4 years ago
|
Comment 10•4 years ago
|
||
bugherder |
Comment 11•4 years ago
|
||
Backed out 3 changesets (bug 1653642, bug 1497249) for causing Bug 1654282.
Backed out changeset 1c9946becbca.
Link: https://hg.mozilla.org/integration/autoland/rev/d72591a16d42a6cefcffe3df901fa9d0db440193
Comment 12•4 years ago
|
||
Backout merged to central: https://hg.mozilla.org/mozilla-central/rev/d72591a16d42
Assignee | ||
Comment 13•4 years ago
|
||
This should be fixed by backing out bug 1497249.
Updated•4 years ago
|
Updated•4 years ago
|
Description
•